CVE-2026-29057
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Next.js is a popular open-source React framework that enables server-side rendering, static site generation, and full-stack web application development.
A medium-severity HTTP Request Smuggling vulnerability (CVE-2026-29057) has been identified in Next.js. When Next.js rewrites proxy traffic to an external backend, a crafted DELETE or OPTIONS request using Transfer-Encoding: chunked can trigger a request boundary disagreement between the proxy and the backend. This allows an attacker to smuggle a second request to unintended backend routes, such as internal or admin endpoints, bypassing assumptions that only the configured rewrite destination is reachable.
Per OWASP: HTTP Request Smuggling is a class of vulnerabilities caused by inconsistencies in how HTTP requests are parsed by front-end and back-end components. When intermediaries such as reverse proxies or load balancers interpret request boundaries differently than back-end servers -- specifically through conflicting interpretations of the Content-Length and Transfer-Encoding headers -- attackers can inject hidden requests that are processed out of sequence, leading to access control bypass, credential hijacking, or cache poisoning.
Details
Module Info
- Product: Next.js
- Affected packages: next
- Affected versions: >=9.5.0 <15.5.13; >=16.0.0-beta.0 <16.1.7
- GitHub repository: https://github.com/vercel/next.js
- Published packages: https://www.npmjs.com/package/next
- Package manager: npm
- Fixed in:
- OSS v15.5.13, v16.1.7
Vulnerability Info
This medium-severity vulnerability is found in Next.js versions >=9.5.0 and <15.5.13, as well as versions >=16.0.0-beta.0 and <16.1.7. See the affected versions above for specific details.
The vulnerability originates in an upstream library vendored by Next.js. When handling DELETE or OPTIONS requests that include a Transfer-Encoding: chunked header, the vendored library's deleteLength function incorrectly removes the transfer-encoding header and sets content-length: 0. This causes the backend to interpret the chunked body as the start of a new, separate HTTP request.
This vulnerability could be exploited by:
- sending crafted DELETE or OPTIONS requests with Transfer-Encoding: chunked to rewritten routes
- including upgrade in the Connection header to prevent the proxy from closing the backend connection
- embedding a smuggled request (e.g., GET /secret) in the chunked body, which the backend parses as a separate request
This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.
Mitigation
Next.js versions prior to 15.5.13 in this range are End-of-Life and will not receive any updates to address this issue.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to a fixed version of Next.js.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
.svg)